An Efficient Provable Distinguisher for HFE

  • Vivien Dubois
  • Louis Granboulan
  • Jacques Stern
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4052)


The HFE cryptosystem was the subject of several cryptanalytic studies, sometimes successful, but always heuristic. To contrast with this trend, this work goes back to the beginnning and achieves in a provable way a first step of cryptanalysis which consists in distinguishing HFE public keys from random systems of quadratic equations. We provide two distinguishers: the first one has polynomial complexity and subexponential advantage; the second has subexponential complexity and advantage close to one. These distinguishers are built on the differential methodology introduced at Eurocrypt’05 by Fouque & al. Their rigorous study makes extensive use of combinatorics in binary vector spaces. This combinatorial approach is novel in the context of multivariate schemes. We believe that the alliance of both techniques provides a powerful framework for the mathematical analysis of multivariate schemes.


Multivariate cryptography HFE differential cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Solow, A.E., Nijenhuis, H.S.W.A.: Bijective methods in the theory of finite vector spaces. J. Combin. Theory (A) 37, 80–84 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Shamir, A.: Efficient signature schemes based on Birational Permutations. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 1–12. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Wolf, C., Preneel, B.: Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations. Cryptology ePrint Archive, Report, /077 (2005) (2005),
  5. 5.
    Fell, H., Diffie, W.: Analysis of a Public Key Approach based on Polynomial Substitution. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 340–349. Springer-Verlag, Heidelberg (1986)Google Scholar
  6. 6.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Ding, J.: A new variant of the Matsumoto-Imai Cryptosystem through Perturbation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 305–318. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Ding, J., Schmidt, D.: Cryptanalysis of HFEv and Internal Perturbation of HFE. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 288–301. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Goldman, J., Rota, G.-C.: The number of subspaces of a vector space. In: Tutte, W.T. (ed.) Recent progress in Combinatorics, pp. 75–83. Academic Press, London (1969)Google Scholar
  10. 10.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer-Verlag, Heidelberg (1995)Google Scholar
  11. 11.
    Patarin, J.: Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two families of asymetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–46. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  12. 12.
    Morrison, K.E.: An introduction to q-species (2005)Google Scholar
  13. 13.
    Ireland, K., Rosen, M.: A Classical Introduction to Modern Number Theory, 2nd edn. 7. Springer, Heidelberg (1998)Google Scholar
  14. 14.
    Garey, M., Johnson, D.: Computer and Intractability: A guide to the theory of NP-completeness. Freeman, New York (1979)Google Scholar
  15. 15.
    Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Fouque, P.-A., Granboulan, L., Stern, J.: Differential cryptanalysis for Multivariate Schemes. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 341–353. Springer-Verlag, Heidelberg (2005)Google Scholar
  17. 17.
    Shor, P.: Polynomial-time algorithms for prime factorzation and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Finch, S.: Mathematical Constants, Cambridge, pp. 354–361 (2003)Google Scholar
  19. 19.
    Matsumoto, T., Imai, H.: A class of asymetric cryptosystems based on Polynomials over Finite Rings. In: ISIT 1983, pp. 131–132 (1983)Google Scholar
  20. 20.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-tuples for efficient signature-verification and message encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  21. 21.
    Dubois, V., Granboulan, L., Stern, J.: Cryptanalysis of HFE with Internal Perturbation. In: work in progress (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Vivien Dubois
    • 1
  • Louis Granboulan
    • 1
  • Jacques Stern
    • 1
  1. 1.Département d’InformatiqueÉcole normale supérieureParisFrance

Personalised recommendations